Highlighted
sammmm-e1 Absent Member.
Absent Member.
691 views

Adding Variables to Active Lists via Lightweight rules

Jump to solution

Anybody know if this is possible?

Cheers

0 Likes
1 Solution

Accepted Solutions
rhope Acclaimed Contributor.
Acclaimed Contributor.

Re: Adding Variables to Active Lists via Lightweight rules

Jump to solution

No need to aggregate in this instance, your local variable will show up as a field that can be mapped to an ActiveList field.  No correlation event is being created, so there's no need to have Set Event Field as an action.

0 Likes
4 Replies
rhope Acclaimed Contributor.
Acclaimed Contributor.

Re: Adding Variables to Active Lists via Lightweight rules

Jump to solution

That's one of the main uses for them, are you having a specific problem?

0 Likes
sammmm-e1 Absent Member.
Absent Member.

Re: Adding Variables to Active Lists via Lightweight rules

Jump to solution

Hi Richard,

Im trying to create a list of active hosts on a network - whilst using a LW rule and the tolower function in a variable to remove any duplicates. Then adding this host to the active list if it is not already in the active list.

Then a correlation rule will look for when I see a new entry in the AL to fire an alert.

I have tested this with standard rules and it works fine however the overhead is obviously huge.

So how do I write that variable to an active list within a LW rule If I cant

a) aggregate upon it (other articles have suggested this is necessary)

b) set event field actions in LW rule

c) add that variable (global or not) to the event fields req in the active list.

Help much appreciated.

Cheers,

Sam

0 Likes
rhope Acclaimed Contributor.
Acclaimed Contributor.

Re: Adding Variables to Active Lists via Lightweight rules

Jump to solution

No need to aggregate in this instance, your local variable will show up as a field that can be mapped to an ActiveList field.  No correlation event is being created, so there's no need to have Set Event Field as an action.

0 Likes
sammmm-e1 Absent Member.
Absent Member.

Re: Adding Variables to Active Lists via Lightweight rules

Jump to solution

It was because I was using Event based AL rather than Field based..

Derp..

Thanks!

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.